Western Union CO 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Western Union CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:06:22 EST.

Filings

10-K filed on 2024-02-22

Western Union CO filed an 10-K at 2024-02-22 16:06:22 EST
Accession Number: 0000950170-24-018751

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity To help address cybersecurity threats, Western Union has developed a strategy and implemented a program to identify, assess, and prioritize cybersecurity risks as part of our broader enterprise risk management processes. We recognize that cybersecurity threats are constantly evolving and that there is no single solution that can guarantee complete protection. Our cybersecurity strategy is designed to protect the confidentiality of our data from unauthorized access, the integrity of information throughout its lifecycle, and the availability of that information and the related systems. Our strategy is guided by the National Institute of Standards and Technology Cybersecurity Framework, which helps us identify, assess, and manage cybersecurity risks relevant to our business. Within our cybersecurity program, we have identified and implemented a variety of processes for cybersecurity risk management: We conduct regular risk assessments to identify and evaluate potential cybersecurity threats, including threats to our business operations, technology infrastructure, and data. We monitor threat intelligence feeds to stay updated on the latest cybersecurity threats and vulnerabilities. We scan our systems for vulnerabilities on an ongoing basis, with vulnerabilities prioritized and remediated based on their potential impact. We have implemented a variety of access controls to restrict access to our systems and data, including user authentication, authorization, and encryption. We conduct regular security awareness training for our employees to help them identify and avoid cybersecurity threats. We periodically conduct test exercises to review our cybersecurity controls and identify improvements. Consultants and other third-party vendors that assist with cybersecurity risks or processes are included in our vendor risk assessment program, which identifies and oversees cybersecurity risks specific to our use of these vendors. Our cybersecurity governance framework is designed to manage cybersecurity risks at all levels of the organization. As part of this governance framework, our Board of Directors regularly devotes time during its meetings to review and discuss the most significant risks facing the Company, including cybersecurity threats, and management s process for identifying, prioritizing, and responding to them. The Audit Committee of the Board of Directors assists the Board in overseeing the significant risk exposures facing the Company and regularly reviews cybersecurity risks at its committee meetings. Cybersecurity risks are integrated into the broader company risk management system through our Information Security and Privacy Committee ( ISPC ), which is a subcommittee of our Enterprise Risk Committee (the ERC ), is co-chaired by the Chief Information Security Officer and Chief Privacy Officer, and consists of senior leaders across the company. The ISPC is charged with oversight, advisory, and decision-making responsibilities with respect to information security and privacy risks. Management, including the ERC, is responsible for communicating cybersecurity risks to the Audit Committee and Board of Directors. Our cybersecurity program, led by our Chief Information Security Officer, who reports to our Chief Risk and Compliance Officer, has a team of dedicated, experienced cybersecurity professionals responsible for day-to-day security operations and strategic cybersecurity programs. The Chief Information Security Officer has over 20 years of experience in security risk management, with over 10 years of experience leading cybersecurity teams. All employees are responsible for protecting Western Union s data and systems and are required to follow Western Union s cybersecurity policies. We have been, and continue to be, the subject of cybersecurity attacks and threats, including distributed denial of service and ransomware attacks. Historically, none of these attacks or breaches has individually or in the aggregate resulted 43 Table of Contents in any material liability to us or any material damage to our reputation. Disruptions related to cybersecurity have not caused any material interruption to our business, strategy, results of operations, or financial condition. There can be no assurance that such attacks or disruptions will not have a material adverse impact on us in the future.

Company Information